• State Not Answered
  • Replies 3 replies
  • Subscribers 76 subscribers
  • Views 228 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 339933
Options

How to decrypt a Wireshark capture of an MQTTS connect from nRF9160 to AWS

Burt

Hi,

We have a pcap file of a MQTTS connection to AWS, provided by the Soracom SIM console. I will print the first lines of the Wireshark trace so you can see what I am working with.

What technique can I use--and it is fine if I have to rebuild my asset_tracker_v2 firmware, and I will be happy to know how to do this with any level of SDK, and it does not have to be asset_tracker_v2, but any application or sample that uses MQTTS would be fine--to allow me to see the unencrypted data rather than the encrypted data for the MQTTS packets. For example, you can see with packet 35 expanded that I am looking at the encrypted data by default:

Thank you very much. I know this can be done when the client is a browser on a computer, but I don't know the techniques when TLS is on an embedded device that uses modem firmware, like the nRF9160 we use.

Regards,

Burt Silverman

Parents
  • 0

    To see the decrypted messages depends on the selected cipher suite.

    If a PSK without ??DHE cipher suite is used, it's quite easy to add the secret to the "settings->protocols->TLS" in the field "Pre-Shared Key". But your capture shows certificates, so that will not apply.

    With certificates usually ??DHE (Diffie–Hellman Ephemeral Key Exchange) is used, so decryption only works, if one of the sides is able to export the "Pre-Master-Secret". I don't know, if AWS endpoints provide that data. Nor, if the device is able to provide that. (I run my own CoAP/DTLS 1.2 CID endpoints, and for such tests I'm usually switch to PSK.)

    (An not too easy alternative would be to run a own cloud vm with an TLS-TCP-TLS-forward. That will come with it's own certificates and the device must redirect the connection to that and update the trust store as well.  Then you may be able to do "the man in the middle attack" (that's only possible, because you add the trust to that "man in the middle").)

Reply
  • 0

    To see the decrypted messages depends on the selected cipher suite.

    If a PSK without ??DHE cipher suite is used, it's quite easy to add the secret to the "settings->protocols->TLS" in the field "Pre-Shared Key". But your capture shows certificates, so that will not apply.

    With certificates usually ??DHE (Diffie–Hellman Ephemeral Key Exchange) is used, so decryption only works, if one of the sides is able to export the "Pre-Master-Secret". I don't know, if AWS endpoints provide that data. Nor, if the device is able to provide that. (I run my own CoAP/DTLS 1.2 CID endpoints, and for such tests I'm usually switch to PSK.)

    (An not too easy alternative would be to run a own cloud vm with an TLS-TCP-TLS-forward. That will come with it's own certificates and the device must redirect the connection to that and update the trust store as well.  Then you may be able to do "the man in the middle attack" (that's only possible, because you add the trust to that "man in the middle").)

Children
No Data
Related
Terms of service